Answer yes if your organisation controls access to its application source code. This is typically done by using a code repository with robust access controls implemented, including maintaining an audit log of all access.
What is it?
In a way, your source code is your applications’ DNA. It is essential to tightly control who has access to it and who can modify it to mitigate its theft or it being used as a vector of attack against your customers.
Why should I have it?
Compromises to your software’s source code can have far reaching implications. Attackers could manipulate the code to perform malicious actions, from ransomware attacks to opening up backdoors to your infrastructure for others to exploit.
Arguably the two most costly cyber attacks ever devised, whose damages can be calculated to be in the billions of dollars, leveraged compromising source code in software products which were then distributed to thousands of the vendors’ clients when they installed updates from the vendor as normal.
It is possibly the single biggest area of concern for clients if they are to run your software in their infrastructure as your compromised code could devastate their infrastructure.
Controlling access to source code is no different than controlling access to any other sensitive data in your organisation but its criticality means every measure should be taken to protect it, and the software development and storage process should be thoroughly thought-out from conception to storage and distribution.
We recommend creating a separate policy around source code with the highest possible standards ensuring that code cannot be inserted or modified into repositories by unauthorised individuals, that code is objectively reviewed and tested before release, and that the security of systems used to store and/or distribute code is held to the possible level, including focused monitoring and the highest priority for patching.
There are numerous consultancies or individual consultants that will be able to assist in crafting a policy and implementing technical controls to protect your source code in a way that meets your business and technical requirements.
If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.